Concatenating a Hash to a String
Chris Angelico
rosuav at gmail.com
Tue Dec 1 00:36:45 EST 2020
On Tue, Dec 1, 2020 at 4:34 PM Ivan "Rambius" Ivanov
<rambiusparkisanius at gmail.com> wrote:
>
> Hello,
>
> I want to store the hashes of strings in a database and I have
> problems generating the sql statements. I generate the hashes using
> hashlib and then convert it to base64 and I put the base64
> representation in the sql. Here is the code:
>
> sql = "insert into HASHES value ('" + ehash + "')"
>
Don't do this! DO NOT do this! Even if it might happen to work with a
base 64 encoded value, this is a terrible terrible bug just waiting to
happen. Instead, use *parameterized queries* and keep your SQL safe.
Concatenating arbitrary data into an SQL statement is one of the top
ten most common and dangerous flaws in application code. Just don't do
it.
ChrisA
More information about the Python-list
mailing list